Azure Authentication and Authorization using java - azure

How to authenticate azure using java with azure management or client libraries without directly using azure rest API's?
and what are the jars required for this?
Please help with samples.

If you want to use JAVA with Azure management for authentication, you can use the following two methods:
1.Create an instance of ApplicationTokenCredentials to supply the service principal credentials to the top-level Azure object from inside your code:
import com.microsoft.azure.credentials.ApplicationTokenCredentials;
import com.microsoft.azure.AzureEnvironment;
// ...
ApplicationTokenCredentials credentials = new ApplicationTokenCredentials(client,
tenant,
key,
AzureEnvironment.AZURE);
Azure azure = Azure
.configure()
.withLogLevel(LogLevel.NONE)
.authenticate(credentials)
.withDefaultSubscription();
2.File based authentication:
# sample management library properties file
subscription=########-####-####-####-############
client=########-####-####-####-############
key=XXXXXXXXXXXXXXXX
tenant=########-####-####-####-############
managementURI=https\://management.core.windows.net/
baseURL=https\://management.azure.com/
authURL=https\://login.windows.net/
graphURL=https\://graph.windows.net/
please check:here

Related

How to access azure AD using python SDK

I am new to Azure, I want to write a python function to access Azure AD and list the existing groups there, I am facing issues logging into azure. I have been working in AWS there I use boto3 as SDK and I use the command line or programmatic acess. Following is the code that I have
from azure.graphrbac import GraphRbacManagementClient
from azure.common.credentials import UserPassCredentials
# See above for details on creating different types of AAD credentials
credentials = UserPassCredentials(
'user#domain.com', # The user id I use to login into my personal account
'my_password', # password of that account
resource="https://graph.windows.net"
)
tenant_id = "82019-1-some-numbers"
graphrbac_client = GraphRbacManagementClient(
credentials,
tenant_id
)
I want to know which is professional way of logging into azure, how do i list the groups present in my azure AD, what code changes do i have to do for that
Snapshot of the API permission
To retrieve list of Azure AD groups, make sure to grant Directory.Read.All for your application like below:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> API permissions
You can make use of below script to get the list of Azure AD Groups by Krassy in this SO Thread:
from azure.common.credentials import ServicePrincipalCredentials
from azure.graphrbac import GraphRbacManagementClient
credentials = ServicePrincipalCredentials(
client_id="Client_ID",
secret="Secret",
resource="https://graph.microsoft.com",
tenant = 'tenant.onmicrosoft.com'
)
tenant_id = 'tenant_id'
graphrbac_client = GraphRbacManagementClient(credentials,tenant_id)
groups = graphrbac_client.groups.list()
for g in groups:
print(g.display_name)
For more in detail, please refer below links:
Azure Python SDK - Interact with Azure AD by Joy Wang
How to access the list of Azure AD Groups using python by Will Shao - MSFT

Using Managed Identities for containers running in PCF to access Azure Blob Storage

I would like to know if it is possible to access a blob storage by a container running in Pivotal Cloud Foundry in Azure using a Managed Identity , say system assigned managed identity, or i need to use a Service Principal Object. Any help is appreciated.
Earlier we were using SAS by coding the URL in the code, but want to use Azure AD to do authentication of our API app running inside container. So what is the best way to achieve this
In Pivotal Cloud Foundry, you could not use the managed identity(MSI) to auth, when using MSI to auth, it essentially makes an API call to azure instance metadata endpoint to get the access token, then use the token to auth, it is just available in an Azure environment support MSI.
In this case, the best practice is to use a service principal to auth as you mentioned, please follow the steps below.
1.Register an application with Azure AD and create a service principal.
2.Get values for signing in and create a new application secret.
3.Navigate to the storage account in the portal -> Access Control (IAM) -> assign a Storage Blob Data Contributor/Storage Blob Data Owner role to the service principal like below.
4.The use the java code below, to do a quick test, in my sample, I list all the blobs in a container, just do other things depends on your requirement, replace the values with yours got from step 2.
pom.xml:
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.2.0</version>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-storage-blob</artifactId>
<version>12.11.0-beta.1</version>
</dependency>
Code:
import com.azure.identity.ClientSecretCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.storage.blob.BlobContainerClient;
import com.azure.storage.blob.BlobServiceClient;
import com.azure.storage.blob.BlobServiceClientBuilder;
import com.azure.storage.blob.models.BlobItem;
public class vacate {
public static void main(String[] args) {
String clientId="xxxxxx";
String clientSecret="xxxxxx";
String tenantId="xxxxxx";
ClientSecretCredential credential1 = new ClientSecretCredentialBuilder()
.tenantId(tenantId)
.clientId(clientId)
.clientSecret(clientSecret)
.build();
BlobServiceClient storageClient = new BlobServiceClientBuilder()
.endpoint("https://joystoragev2.blob.core.windows.net")
.credential(credential1)
.buildClient();
BlobContainerClient containerClient = storageClient.getBlobContainerClient("tescon1");
System.out.println("\nListing blobs...");
for (BlobItem blobItem : containerClient.listBlobs()) {
System.out.println("\t" + blobItem.getName());
}
}
}
For more details, see Quickstart: Manage blobs with Java v12 SDK.
Update:
If you want a user-interactive way to auth, just use these ways - Authenticating Users instead of ClientSecretCredential.
Actually different auth ways in SDK use different auth flows in Azure AD, e.g. ClientSecretCredential uses client credential flow, it is a non-interactive way, DeviceCodeCredential uses device code flow, it is user-interactive way.
To use these user-interactive ways in your case, you need to navigate to the AD App in the portal -> add the delegated permission user_impersonation of Azure storage.
suppose a particular user should have only read access to the Blob Endpoint and another user might have full CRUD access to the Blob Endpoint, how this will be determined when the user calls this API from a front end application?
Yes, this can be achieved by the delegated permission added above. When the user use the auth ways to login the AD App, the App will let the user consent the user_impersonation permission, after consent(the AAD tenant of the user needs to allow the users to consent the permission by theirselves), the AD App will get the permission from the user, then act on behalf of the user. In short, the permission of the app comes from the user, different users have different permissions, then app will have different permissions.
So in your case, just add users with different roles in the storage account like step 3 above. For read access, just add Storage Blob Data Reader, for CURD access, add Storage Blob Data Contributor/Storage Blob Data Owner, then use the user-interactive ways above, it will work.

Azure Key Vault Service to store credentials

My Azure PaaS service supports authenticating directly with OAUTH (Event Hub).
How do you distribute the credentials for this securely to Confidential Clients?
Sorry i'm new to Cloud Development.
As you mentioned, you can use Azure keyvault to store the client secret of your Azure AD App Registration.
Just add the client app/user account to the Azure keyvault Access Policy with the correct permission, then only them can access your azure keyvault to retrieve the client secret.
Update:
You need to create a new Azure AD App Registration used to access the keyvault(this AD App is just to access keyvault, not access to eventhub), store its client id and secret as the environment variables, then use the SDK to get the secret. After that, use ClientSecretCredential to access eventhub.
TokenCredential credential = new ClientSecretCredential("<tenantId>", "<clientId>", "<clientSecret>");
var fullyQualifiedNamespace = "<< FULLY-QUALIFIED EVENT HUBS NAMESPACE (like something.servicebus.windows.net) >>";
var eventHubName = "<< NAME OF THE EVENT HUB >>";
await using (var producer = new EventHubProducerClient(fullyQualifiedNamespace, eventHubName, credential))
{
using EventDataBatch eventBatch = await producer.CreateBatchAsync();
eventBatch.TryAdd(new EventData(new BinaryData("First")));
eventBatch.TryAdd(new EventData(new BinaryData("Second")));
await producer.SendAsync(eventBatch);
}
Reference - Using an Active Directory principal with the Event Hub clients
Note: Actually, if your code will be deployed to the Azure service that supports Managed Identity(MSI), e.g. Azure App service, VM, etc, the best practice is to use MSI to auth eventhub, no need to create the AD Apps and use their client secrets, neither the keyvault.
Reference - Authenticate a managed identity with Azure Active Directory to access Event Hubs Resources

What and how to pass credential using using Python Client Library for gcp compute API

I want to get list of all instances in a project using python google client api google-api-python-client==1.7.11
Am trying to connect using method googleapiclient.discovery.build this method required credentials as argument
I read documentation but did not get crdential format and which credential it requires
Can anyone explain what credentials and how to pass to make gcp connection
The credentials that you need are called "Service Account JSON Key File". These are created in the Google Cloud Console under IAM & Admin / Service Accounts. Create a service account and download the key file. In the example below this is service-account.json.
Example code that uses a service account:
from googleapiclient import discovery
from google.oauth2 import service_account
scopes = ['https://www.googleapis.com/auth/cloud-platform']
sa_file = 'service-account.json'
zone = 'us-central1-a'
project_id = 'my_project_id' # Project ID, not Project Name
credentials = service_account.Credentials.from_service_account_file(sa_file, scopes=scopes)
# Create the Cloud Compute Engine service object
service = discovery.build('compute', 'v1', credentials=credentials)
request = service.instances().list(project=project_id, zone=zone)
while request is not None:
response = request.execute()
for instance in response['items']:
# TODO: Change code below to process each `instance` resource:
print(instance)
request = service.instances().list_next(previous_request=request, previous_response=response)
Application default credentials are provided in Google API client libraries automatically. There you can find example using python, also check this documentation Setting Up Authentication for Server to Server Production Applications.
According to GCP most recent documentation:
we recommend you use Google Cloud Client Libraries for your
application. Google Cloud Client Libraries use a library called
Application Default Credentials (ADC) to automatically find your
service account credentials
In case you still want to set it manaully, you could, first create a service account and give all necessary permissions:
# A name for the service account you are about to create:
export SERVICE_ACCOUNT_NAME=your-service-account-name
# Create service account:
gcloud iam service-accounts create ${SERVICE_ACCOUNT_NAME} --display-name="Service Account for ai-platform-samples repo"
# Grant the required roles:
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member serviceAccount:${SERVICE_ACCOUNT_NAME}#${PROJECT_ID}.iam.gserviceaccount.com --role roles/ml.developer
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member serviceAccount:${SERVICE_ACCOUNT_NAME}#${PROJECT_ID}.iam.gserviceaccount.com --role roles/storage.objectAdmin
# Download the service account key and store it in a file specified by GOOGLE_APPLICATION_CREDENTIALS:
gcloud iam service-accounts keys create ${GOOGLE_APPLICATION_CREDENTIALS} --iam-account ${SERVICE_ACCOUNT_NAME}#${PROJECT_ID}.iam.gserviceaccount.com
Once it's done check whether the ADC path has been set properly by checking:
echo $GOOGLE_APPLICATION_CREDENTIALS
Having set the ADC path, you don't need to import from code the service access key, which undesirable, so the code looks as follows:
service = googleapiclient.discovery.build(<API>, <version>,cache_discovery=False)

Azure AD add keys via Azure CLI

I'm trying to add a key in my Azure AD application using Azure CLI.
But looking throught the Azure CLI API it seems that there is no such command.
For exmaple:
I'm trying to automate the task from the link below via Azure CLI:
http://blog.davidebbo.com/2014/12/azure-service-principal.html
I can create AD application, service principal, but I can't find a way to add key for newly create AD application.
I'll appreciate any ideas and directions :)
Thanks in advance !
For a new AD application, you can specify a key with -p while creating. For example,
azure ad app create -n <your application name> --home-page <the homepage of you application> -i <the identifier URI of you application> -p <your key>
For an existing AD application, surely the Graph API is able to update the AD Application Credential. Read this API reference, and you can see that the password credential is able to use "POST, GET, PATCH". However, it's too complicated to use the Graph API. I have check the Azure CLI. That functionality is not yet implemented, and the source is unreadable for me. Then, I took a look at Azure SDK for Python, because I am familiar with python, and I found out that they have already implemented it in 2.0.0rc2. See the GitHub Repo
I have written a python script. But, in order to use my script you need to install not only azure2.0.0rc2, but also msrest and msrestazure.
from azure.common.credentials import UserPassCredentials
from azure.graphrbac import GraphRbacManagementClient, GraphRbacManagementClientConfiguration
from azure.graphrbac.models import ApplicationCreateParameters, PasswordCredential
credentials = UserPassCredentials("<your Azure Account>", "<your password>")
subscription_id = "<your subscription id>"
tenant_id = "<your tenant id>"
graphrbac_client = GraphRbacManagementClient(
GraphRbacManagementClientConfiguration(
credentials,
subscription_id,
tenant_id
)
)
application = graphrbac_client.application.get('<your application object id>')
passwordCredential = PasswordCredential(start_date="2016-04-13T06:08:04.0863895Z",
end_date="2018-04-13T06:08:04.0863895Z",
value="<your new key>")
parameters = ApplicationCreateParameters(application.available_to_other_tenants,
application.display_name,
"<the homepage of your AD application>",
application.identifier_uris,
reply_urls=application.reply_urls,
password_credentials = [passwordCredential])
application = graphrbac_client.application.update('<your application object id>', parameters)
The only problem with this script is that you are only able to override all the existing keys of you AD application. You are not able to append a new key. This is a problem of the Graph API. The Graph API does not allow users to read an existing key. One possible solution would be storing your existing keys somewhere else. But, this will bring extra security risk.
I don't have any experience of automating adding the key, I'm not sure it's even possible to be honest. However have a look at the ApplicationEntity documentation in the Graph API, it might be possible using a POST request to the web service.

Resources